DealerBuilt, an Iowa based dealership software provider, reached a settlement with the Federal Trade Commission on Wednesday over a 2016 breach of data that allowed a hacker to gain access to the personal information of around 12.5 million consumers stored by 130 dealerships. This information contained names, addresses, phone numbers, and social security numbers for both customers and employees.
The database was initially found on Shodan with an open port of 873, commonly used by the "rsync" protocol, which synchronizes copies of files between two different computers. These machines known as LightYear machines, were backing up to DealerBuilt's central systems without any encryption or security, allowing anyone to see what was being backed up.
DealerBuilt CEO Michael Trasatti said Wednesday that the company took immediate action when the breach occurred in 2016 and worked with customers. "We take securing customer data seriously," Trasatti said in a statement. "We work to continuously improve our security." The dealership management system provider agreed to a settlement with the FTC over the attack and will "take steps to better protect the data it collects," the FTC said.
The breach will be resolved with a final consent agreement, which won’t be made public unless it is accepted by the FTC. As part of the proposed consent agreement, DealerBuilt is required to implement a security program in accordance with the Safeguards Rule and is prohibited from handling consumer data until the program is in place.
Further, DealerBuilt will be required to ensure that all devices on its network with access to personal information are securely installed and inventoried at least once annually, to engage in vulnerability testing every four months and promptly after a covered incident, and to perform penetration testing of the network at least annually and promptly after a covered incident.